[h2o-discuss] Mission: Source-Out!

["Robert S. Thau" <rst@ai.mit.edu>]

Jon Garfunkel writes:
 > I believe Microsoft has been undergoing a Source-Out mission of AOL's AIM.
 > There are also well-publicized analogues in the security world, where
 > secuirty hackers undertake a similar mission to find security
 > vulnerabilities.

I'm not sure what you mean by "source-out mission".  Microsoft is
certainly trying to reverse engineer AOL's protocols, but last I
heard, they weren't planning to release the source code for their
clients.  ("Reverse engineering" is a term of art in engineering
generally for attempting to determine specs for somebody else's
product by examining the product itself, so that you can make your
own, plug-compatible version; the term is widely applied both in
computer hardware and software engineering).

In any case, there are a lot of things going on in the AIM
situation which raise potentially interesting legal issues:

[1] AOL had already released open-source clients for its internet
    messaging servers --- these use a variant text-based version of
    their actual, full-stringth binary OSCAR protocol, which doesn't
    have all of OSCAR's features, but is adequate to support most
    ordinary chat.  Since this fracas started, they have shied away
    from this --- the home page for their open source effort has
    vanished (though the code itself hadn't been deleted, as of a week
    ago, and is still available from other sources in any event).

    Legal issue: the clients in question (TIK and TOC) were released
    under GPL.  I really get the feeling, given some of the public
    statements I've seen, that there are people in AOL management
    who'd like to have the code back, i.e., to revoke the public
    license granted by their own GPLed release.  The consensus among
    hackers in the open source community is that they can't actually
    do this, but I'm not aware of any actual legal precedent which
    specifically says so.

[2] Of course, as the owners of the TIK code, AOL can reissue it with
    a different and more restrictive license, along the lines of the
    "no-commercial-use" clauses in the licenses for all sorts of
    demoware.  And, as maintainers of the servers, they can change the
    protocol.  So, one thing they could do is change the protocol so
    that old clients don't work, and release clients for the new
    protocol under a more restrictive license; they wouldn't have
    stopped people from distributing the old code, but they would have
    made it useless.

    Legal issue: under what circumstances could people then tweak the
    old code --- still under GPL --- in order to make it work with the
    new servers?  To what extent could AOL make this legally difficult
    with "no reverse engineering" clauses in the license for their
    clients?

There's also a cute liability issue in the way that AOL is trying to
tell whether somebody's PC is running their own chat client or
Microsoft's; they're taking advantage of a "buffer overflow" in their
own software, which allows their servers to cause any code they like
to run on their clients.  The liability issue is this: by taking
advantage of the buffer overflow in their client, AOL has clearly
shown that they know about it.  If somebody *else* finds a way to use
the buffer overflow to cause malicious code (erasing hard drives,
locating and uploading quicken files, etc.), to run on PCs running the
AOL client --- perhaps by using TCP connection hijacking --- would
AOL's failure to fix it make them negligent and liable for the damage?

rst